Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN using incorrect Crypto Map

I am having difficulty with a site to site VPN using the wrong crypto map.

 

When i try to bring a site to site tunnel up with a 3des / sha1 tunnel the, tunnel tries to use aes / sha1. is there a bug in the 9.1 code that could be causing this issue. I all ready have another 3des / sha1 tunnel up and it works.

 

crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 20.20.20.20
crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map0 1 set nat-t-disable
crypto map outside-_map0 2 match address outside-stevensons_cryptomap_1
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer 11.11.11.11
crypto map outside_map0 2 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside-_map0 2 set ikev2 ipsec-proposal Site 2
crypto map outside-_map0 2 set ikev2 pre-shared-key *****
crypto map outside-_map0 3 match address outside-stevensons_cryptomap_2
crypto map outside-_map0 3 set peer 119.252.89.106
crypto map outside-_map0 3 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside-_map0 3 set ikev2 ipsec-proposal Site 3
crypto map outside-_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-_map0 interface outside-stevensons

 

2 REPLIES
VIP Purple

The "problem" is probably

The "problem" is probably caused by a misunderstanding of IPsec. You show a config for the protected data (IPsec SAs) which is configured with 3DES and MD5/SHA1. But when you see AES, you are probably looking at the "management"-tunnel (IKE SA) which ist controlled by the "crypto ikev1 policy" commands. And there you are probably having policies with AES.

 

All in all, I wouldn't see a problem in that. You should even consider using AES with SHA1 if the other side supports that. 3DES and MD5 is legacy and outdated crypto and better algorithms are available. If you can use AES/SHA1, then use that.

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

HI Karsten,

HI Karsten, Thanks for clarifying, unfortunately other side does not support AES / SHA. I will look into my ike polices again.
145
Views
0
Helpful
2
Replies